Cybersecurity from the Inside Out
Cybersecurity continues to be a hot topic in 2018 and many companies are now coming to realize that it is more than a regulatory inconvenience. The real question is: How do we truly protect ourselves? And what controls are going to be the most beneficial without breaking the bank?
While there are a variety of frameworks to help you evaluate your cybersecurity inherent risk and controls maturity, I believe the true marker is a company’s corporate security culture. As ISACA puts it, “Corporate security culture determines what an organization does about security, as opposed to what it intends to do.”
In a nutshell, security culture drives what happens with security when people are left to their own devices. For example, do they make the right choice when faced with whether or not to click on a link?
A strong security culture is both a mindset and mode of operation. One that’s integrated into day-to-day thinking and decision making can make for a nearly impenetrable operation. Here are five ways I believe you can help build a strong security culture within your organization:
1. Begin at employment
Many companies believe that candidates must fit into the current corporate culture and have personalysis profiles or cultural fit studies done before employment.
Why not take the same approach to security?
We can all be asking prospects questions, prior to their employment, to get an idea of how they would deal with security. We can ask technical questions about their security knowledge or behavioral questions to help figure out how they dealt with security issues in the past.
2. Start from the top
Security culture begins at the top, with the CEO or head of the company. This person must model good security practices themselves and speak sincerely about it at every opportunity.
Unfortunately, in some organizations, the “C staff” are the most susceptible to social engineering attacks because the trainers are usually hesitant to hold them to the same standards as the rest of the staff. It is pretty easy for the employees to see right through this.
The company head must understand enough about security to really speak about it.
3. Build a security community
Security community is the backbone of sustainable security culture. Security community connects people across the company and eliminates the adversarial relationship with IT that sometimes occurs with security awareness testing.
Security community is achieved by understanding the different security interest levels within the organization: advocates, the security conscious, and sponsors.
- Security advocates are the passionate security members that will drive the community. They are usually going to be your IT folks and the leaders within your community.
- The security conscious are not as passionate, but realize they need to contribute to make security better. This group benefits the most when your Bank truly achieves a security culture. Include members from all groups including tellers and other front-line staff and they will inspire security-minded practices with their peers.
- The sponsors are those from management who help shape the security direction. Gather all of these folks together into a special interest group focused on security.
4. Reward and recognize those people that do the right thing for security
The heading says it all. Be invested in your training program and look for opportunities to celebrate success. Even a compliment can go a long way. For example:
- When someone goes through the mandatory security awareness program and completes it successfully, acknowledge that they have done so.
- During a social engineering test, if an employee does the right thing, reward them.
A simple cash reward or gift card is a huge motivator for people and will cause them to remember the security lesson that provided the money. They will be quick to tell their co-workers they received cash for learning, which will motivate others to jump into the training as well.
If you worry about the extra expense of some incentives, think about your return on investment. The return on investment for preventing just a single data breach greatly outweighs the sum of the incentives.
5. Make security fun and engaging
Last, but certainly not least, is fun. For far too long people have associated security with boring training or someone saying “No” all the time. To cement a sustainable security culture, build fun and engaging techniques into the training process. If you have specific security training, ensure that it is not a boring voice-over PowerPoint presentation.
Think of new training scenarios that are out of the box. Throw a phishing writing workshop and have your employees write a phishing email for the company. This would help employees identify tactics that are usually used in phishing attacks and help them spot threatening emails later. It is a fresh scenarios to use as training that will engage employees. Give a cash reward for the best email and use it!